On 10/16/2015 01:48 PM, Paul Wouters wrote: > On Fri, 16 Oct 2015, Rick van Rein wrote: > >> 3) Similar to OpenPGP: Negotiate cert-type >> >> There is a cert-type for X.509 and for OpenPGP; add one for Kerberos >> Tickets. >> >> PRO: Good integration with TLS: Tickets are transported in the >> ClientCertificate, and an Authenticator is the ClientVerify. DH is >> independent and can move to the earlier phase for TLS 1.3. > > How is this type of TLS connection prevented from being MITM'ed by > someone replaying kerberos tickets (which it cannot read itself)
I think it is not, if the Kerberos and DH parts are completely orthogonal [and the Kerberos exchange is not mixed into the master secret other than via the session hash]. Having the authenticator include the DH public value or mixing the Kerberos session key into the master secret are two options that come to mind right away. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
